Flaws found in Cisco, Juniper and IBM kit

Cisco, Juniper and IBM are suffering embarrassment today as a Home Office agency announced details of a software vulnerability that affects the vendors' products.

The National Infrastructure Co-Ordination Centre (NISCC) has published details of a denial-of-service vulnerability that can affect routers' ability to handle TCP traffic. Hackers commonly use denial-of-service attacks to flood target computers with data so they fail to work.

The NISCC Web site stated: "The impact of the ICMP TCP reset vulnerability varies by vendor and application, but in some deployment scenarios it is likely to be rated medium to high. If exploited, [this] could allow an attacker to create a denial-of-service condition against existing TCP connections, resulting in premature session termination."

Cisco is advising customers to update their products. It admitted that the problem affects PIX firewalls and all products running IOS — the operating system the majority of Cisco routers use.

"There is a free software fix available," said a Cisco spokesman. "It's an industry issue. We worked with NISCC to co-ordinate [the fix]." He added that the company had known about this for some time.

IBM admitted that its AIX operating system was also vulnerable, but the company appeared not have released detailed information yet. IBM was unable to respond in time for the publication of this article.

On NISCC's Web site, a Juniper spokesman wrote: "Juniper Networks M-series and T-series routers running certain releases of JUNOS software are susceptible to this vulnerability." Juniper also failed to respond to requests for comment.

Although the three vendors are unlikely to be the only companies affected by the vulnerability, their products form a large part of the Internet infrastructure.

NISCC has published details of how to characterise and fix the problem on its Web site.